Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com - Wrap up

From: "Edwards, David (JTS)" <Edwards.Dave () saugov sa gov au>
Date: Thu, 9 May 2002 12:45:25 +0930 
Hi,

This is mainly aimed at closure for the list archives.  Needless to say, 
we learnt a lot during this incident.  

The incident was caused by an admin user following a link to an 
xbox emulator http://www.angelfire.com/empire/oftheants/xbox1.html
which just refreshes to the SFX executable 
http://www.angelfire.com/empire/oftheants/EMU_xbox.exe.


Investigation discovered:

Following this link downloads the file "EMU_xbox.exe" in the normal 
way via the "open or save" dialog. If the user choses "open", another 
dialog opens with the text: "Setup.exe is not a valid Win32 application", 
but by this time the following has occurred:

The files "NetBUIE.exe" and "NBconfig.exe" are copied to 
"c:\windows\system"
The registry key "HKLM/SOFTWARE/Microsoft/Windows/Run/NetBUIE" 
is created with the value "C:\windows\system\NetBUIE.exe"

If the user has admin rights, the key 
"HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run" is 
also created with the same value.

This last key is where the main problem lies in the Win2k terminal
server environment, as each user runs a new instance of netbuie.exe
at logon.

Thanks to Matt Scarborough, Axel Pettinger and all the others with
helpful comments.  This list is a very useful resource!

Many people have asked for a copy of the malware.  The link above
will get them a copy if they need it.


Lessons learnt? The obvious one is of course that admin accounts 
should only be used for admin tasks, but we also found our incident
response procedures were less than adequate.

Finally, this malware has been around for about a month.  My 
initial searches failed to find any trace of it:
a) because the search engines "helpfully" suggested a misspelling of 
netbuie, and 
b) because I didn't check newsgroups..  Bit of a shock really, usenet
is still useful :-)

ciao
dave
---
Dave Edwards 
Justice Technology Services
Ph: +61 8 82265426 || 0408 808355 
mailto: edwards.dave () saugov sa gov au
Snail : Justice Technology Division 
        GPO Box 2048, Adelaide 5001
---



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: